It was found that the fix for CVE-2014-6271 was incomplete, and Bash stillallowed certain characters to be injected into other environments viaspecially crafted environment variables. An attacker could potentially usethis flaw to override or bypass environment restrictions to execute shellcommands. Certain services and applications allow remote unauthenticatedattackers to provide environment variables, allowing them to exploit thisissue. (CVE-2014-7169)

See the point? Does it look scarry? A remote script is downloaded to your system, and execute it. So any local services that use shell for interpretation basically is vulnerable and you should patch bash as soon as possible. As of this moment of writing, the patch is out. In CentOS 7, the patched is included in the package bash-4.2.45-5.el7_0.4.x86_64. Read the changelog below.

Below are some service which uses bash and if your system use some of it, you should know what to do.

ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.

Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in Bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).

PHP scripts executed with mod_php are not affected even if they spawn subshells.

DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.

Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.

Any other application which is hooked onto a shell or runs a shell script as using Bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

Sunday, October 12, 2014

Last we learned the basic of journalctl, today we will enable FSS in journald.

Forward Secure Sealing or FSS allows application to cryptographically "seal" the system logs in regular time intervals, so that if your machine is hacked the attacker cannot alter log history (but can still entirely delete it). It works by generating a key pair of "sealing key" and "verification key".

read more at https://eprint.iacr.org/2013/397

Okay, let's set it up. With this, we will use CentOS 7 for learning.

As root, let's setup the keys.

[root@centos7-test1 ~]# journalctl --setup-keys/var/log/journal is not a directory, must be using persistent logging for FSS.

Hmm.. not possible because /run is mounted on tmpfs. We will now enable persistent storage for journald.

As you may noticed, journalctl show all the logging since the system was booted until at this moment. So there are a lot of lines and data to be interpreted. So you might want to look into the parameters accepted for this application.

If you want to show most recent log, give -r. This will reverse the ordering by showing newest entries first. If you want to show newest ten lines, give -n as a parameter. Example journalctl -r -n 10

To show how much all these log take the disk space, give --disk-usage. Note that journal logs are stored in the directory /run/log/journal and not /var/log.

If you want to show only log from a unit(service), give --unit. Example journalctl --unit=sshd will show logging for sshd only. Very neat!

Sometime you just want to monitor a certain range of date and/or time. You can append parameter --since and --until. Example journalctl --since="2014-09-14 01:00:00" --until="2014-09-14 02:00:00" it will show all journal within that duration of 1hour. I think this is really good for system monitoring, system support or even during finding trace of compromised system.

If you want the journal logs to appear in web interface, you can format the logging to a format the web application supported. As of this time of writing, journalctl supported the following format.

short

is the default and generates an output that is mostly identical to the formatting of classic syslog files, showing one line per journal entry.

short-iso

is very similar, but shows ISO 8601 wallclock timestamps.

short-precise

is very similar, but shows timestamps with full microsecond precision.

short-monotonic

is very similar, but shows monotonic timestamps instead of wallclock timestamps.

verbose

shows the full-structured entry items with all fields.

export

serializes the journal into a binary (but mostly text-based) stream suitable for backups and network transfer (see Journal Export Format[1] for more information).

json

formats entries as JSON data structures, one per line (see Journal JSON Format[2] for more information).

json-pretty

formats entries as JSON data structures, but formats them in multiple lines in order to make them more readable for humans.

json-sse

formats entries as JSON data structures, but wraps them in a format suitable for Server-Sent Events[3].

cat

generates a very terse output only showing the actual message of each journal entry with no meta data, not even a timestamp.

json would probably comes in mind to display the logging on web interface.

There is also a feature known as Foward Secure Sealing where the log will be encrypted using a sealing key and the log can be verified using a verification key. You can check on parameter such as, --setup-keys --interval --verify --verify-key. We won't cover FFS in this article, perhaps sometime in the future, I will devote an article on how to set this up.

There are also many other good option that help you analyze the log using different strategy like -b, -p and logical operator but that this article should be able to give you a head start. You can find more information through journalctl manual.

That's odd, something has changed. For your information, sysV has been replaced in favor of systemd and today we are going to learn what is systemd is. So what is systemd ?

systemd is a system and service manager for Linux, compatible with SysV and LSB init scripts. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux cgroups, supports snapshotting and restoring of the system state, maintains mount and automount points and implements an elaborate transactional dependency-based service control logic. It can work as a drop-in replacement for sysvinit.

That is a very lengthy definition. If you are still not so sure, perhaps take a moment to watch a video here.

Because there are a lot of documentations in the google to explain what is systemd in details, but this article will target busy people who need the solution right now. As such, if you want more details solutions, you should google or read a few helpful links below.

Lennart Poettering and Kay Sievers, the software engineers who initially developed systemd,[1] sought to surpass the efficiency of the init daemon in several ways. They wanted to improve the software framework for expressing dependencies; to allow more processing to be done concurrently or in parallel during system booting; and to reduce the computational overhead of the shell.

Systemd's initialization instructions for each daemon are recorded in a declarative configuration file rather than a shell script. For inter-process communication, systemd makes Unix domain sockets and D-Bus available to the running daemons. Systemd is also capable of aggressive parallelization.

There are several tools to manage systemd.

systemctl:used to introspect and control the state of the systemd system and service manager

systemd-cgls:recursively shows the contents of the selected Linux control group hierarchy in a tree

systemadm:a graphical frontend for the systemd system and service manager that allows introspection and control of systemd. Part of the systemd-gtk package. This is an early version and needs more work. Do not use it for now unless you are a developer.

Below are a table to summarize what you usually done in chkconfig and in systemd, what command you can use as a replacement.

Sysvinit Command

Systemd Command

Notes

service frobozz start

systemctl start frobozz.service

Used to start a service (not reboot persistent)

service frobozz stop

systemctl stop frobozz.service

Used to stop a service (not reboot persistent)

service frobozz restart

systemctl restart frobozz.service

Used to stop and then start a service

service frobozz reload

systemctl reload frobozz.service

When supported, reloads the config file without interrupting pending operations.

systemctl set-default <name of target>.targetgraphical.target is the default. You might want multi-user.target for the equivalent of non graphical (runlevel 3) from sysv init.

systemctl get-defaultto show the currentl target/runlevel

Note, there are several changes you should keep in mind.* systemd does not use /etc/inittab file.* change number of gettys in /etc/systemd/logind.conf* unit files are now store in /usr/lib/systemd/system/

That's it, I hope you get a basic understanding and will be able to start using systemd.

Friday, September 12, 2014

With the recent release of CentOS7, today we are going to check out the basic network configuration. My usual quick command, ifconfig.

[root@localhost ~]# ifconfig-bash: ifconfig: command not found

it seem like ifconfig is not longer there, note that if you do upgrade from centos 6.x , you should be aware of this. If you are going to configure network interface, start to get familiar to command ip. But if you want command ifconfig, you can still install the package net-tools.

Noticed that service manager now is done via systemctl, C7 is using systemctl in replace of SysV. Also notice configuration file for ifcfg-lo is not loadable? This issue has been file here.

Upstream has changed the default networking service is provided by NetworkManager, which is a dynamic network control and configuration daemon that attempts to keep network devices and connections up and active when they are available.

If it does not install for any reason (which it should not because it comes with predefault installation), you can follow these commands

If you are configuring manually remotely, you can use command nmtui. nmtui is a simple curses-based text user interface. But if you want to configure interface using script, better still to use command ip or nmcli. For more information, you can read here.

That's it for this article. I would like to thank my buddy for kind enough to let me ssh and study centos 7 in his host. :) you know who you are! dankeschon!

Saturday, July 19, 2014

I'm always a big fan and user of CentOS. Started using CentOS 4 and it is very stables and secure for company servers usage. With the current release of CentOS 7, it is definitely worth while to check in out the release note.

It is definitely encourage to see that, for the first time, major upgrade between major CentOS is possible now.

The install media is splited such that it comes with the window managers. For server installation, you should really go using net install.

There are some known issues which you should really consider if you are doing upgrade and make sure you are well prepare.network - Many people have complained that Ethernet interfaces are not started with the new default NetworkManager tool/have to be explicitly enabled during installation. See CentOS-7 FAQ#2.installer memory usage - The installer needs at least 406MB of memory to work. On systems with less memory then 406MB the installation will terminate with a fatal error. 512MB is the minimum memory requirement for CentOS-7.small screen - If your screen resolution is 800x600 or lower, parts of the images shown at the bottom during install are clipped. So watch up on the next,back and cancel buttons.So I think this is a brief summary to get you started but you can find more at here.